Listener Port, Collection, and Retention Settings
NTA Settings dialog (menu ) provides NTA system and application settings such as logging, listening port, data retention, and data management properties.
(General settings)
- . Specify the TCP/IP port number and/or IP address on which the Network Traffic Analysis collector service should listen to receive flow packets, or leave blank to keep the default setting. Network Traffic Analysis can listen on one or more ports/IP addresses.
- If you do not specify a port number, 9999 is the designated default.
- If you do not define an IP address or you specify a value of "0.0.0.0", the NTA collector listens on all IP addresses (all IP addresses configured for the device where the collector is running).
: If you configure Network Traffic Analysis to listen on a port other than default port, verify the port is not being used by another service. Additionally, if you are using Windows Firewall, ensure that an exception is added to the firewall.
- . Select the log level details. Each level includes higher levels of severity. Verbose includes Normal and Error, for example.
- . Record log messages that are errors.
- . Record log messages with error and information-level severity.
- . Select for the highest level of logging detail. Best for troubleshooting. This option can generate a lot of log messages and be resource intensive.
- . Select how often Network Traffic Analysis writes raw data from its sources to the database. You may select 1, 2, 3, 4, 5, or 10 minutes. By default, raw data is written to the database every 2 minutes.
: Modifying collection interval settings affects the granularity and sampling revealed in Network Traffic Analysis reports. If the interval is set to five minutes, you cannot distinguish traffic collected during the first minute from traffic collected during the fourth minute.
- . When the Network Traffic Analysis collector service encounters an IP address, it tries to determine information about the host attached to the IP address. After this information is resolved, it is stored in the Network Traffic Analysis database. Enter the interval (in hours) that you want Network Traffic Analysis to wait, before it checks the private IP address again, to resolve information that may have changed for the address. By default, private addresses are resolved every 48 hours.
- . When the Network Traffic Analysis collector service encounters an IP address, it tries to determine information about the host attached to the IP address. After this information is resolved, it is stored in the Network Traffic Analysis database. Enter the interval (in hours) that you want Network Traffic Analysis to wait, before it checks the public IP address again, to resolve information that may have changed on the address. By default, public addresses are resolved every 720 hours (30 days).
: Because public IP addresses are less likely to be changed, you may want to use longer intervals than used for the Resolve private address interval option.
- . Enter the number of hours after which Network Traffic Analysis should purge unclassified traffic. Unclassified traffic is traffic transmitted over ports that are currently not monitored by Network Traffic Analysis. By default, this option is set to 1, which causes Network Traffic Analysis to aggregate and retain data for all unclassified ports as a single value; detailed information about the individual unclassified ports over which traffic was transmitted is discarded.
: Be cautious about increasing the time for value because the Network Traffic Analysis database can grow very large as the time is increased.
: The collector will purge any unclassified data that has no activity after the threshold value is satisfied.
Data retention
You can use the data retention section of the Flow Monitor Settings dialog to set data retention parameters for flow and interface data. Periodic roll-up and archiving of flow data minimizes system resources needed for data storage and improves system responsive during data intensive operations.
Data retention settings
You can either manually tune data retention or allow Network Traffic Analysis to self-tune and optimize retention of flow data. Tuning is necessary to manage the growth rate of the Network Traffic Analysis databases.
Flow data includes many parameters (input and output interfaces, source and destination IP addresses, port numbers, byte rates, flow end times, and so on) which provide useful information at the price of storage. Rolling up the data makes for efficient storage, but there may be losses of time-related information within individual flows.
The following parameters are used to control the cleanup of flow data.
- . When selected, Network Traffic Analysis collector optimizes the flow data cleanup settings. Use these controls to manage database size with regards to system performance. Auto tune is set by default. It is best practice have Auto tune of flow data retention enabled.
- . Use this option to determine the percentage of raw traffic the collector will write to the database. You must clear the check box for access to this setting.
: While the default settings for data cleanup are conservative, when you modify the roll-up settings it can directly affect the size of the Network Traffic Analysis databases and the performance of the application. Take care when you modify these settings. Monitor the effects of these changes to these settings on Network Traffic Analysis collector database size and application performance.
: When you place the cursor in a box to change a value, a message appears at the bottom of the dialog. This message provides information about the number and percentage of the recommended maximum flow records being stored in the Network Traffic Analysis data and archive databases. As you make changes, the message predicts how the change affects the number of records stored in the Network Traffic Analysis data and archive databases.
- . Specify the minimum number of hours of raw flow packet data to retain or keep the default value (4 hours). This setting establishes a sliding time window of raw flow packet data. At the end of the period constrained by this window, raw flow data is rolled up. The roll up of raw data happens every hour, on the hour. After data has been rolled up, Network Traffic Analysis can only report using the hourly summations.
- . Specify the number of days you would like to maintain hourly data or keep the default value (24 hours). This setting establishes a sliding time window of hourly data that spans the specified number of days. As hourly data ages beyond this period it is rolled up. The roll up of hourly data takes place daily. After hourly data is rolled up, Network Traffic Analysis can only report aggregated totals for the entire 24-hour block of time.
- . Specify the minimum number of days to maintain daily data before archiving it or keep the default value (3 days). As daily data ages beyond this period, it is archived. Network Traffic Analysis continues to have visibility into archived data with some restrictions. This is implemented using a sliding time window of daily data. For example, if you save one day's data before archiving, the limits of the period would be all data from the 24 hour period in the past until now.
- . Specify the minimum number of days of archived data to maintain or keep the default value (7 days). This setting establishes a sliding time window of archived daily data that spans the specified number of days. After archived data extends beyond the period specified, it is purged from the flow collector database. Network Traffic Analysis can no longer report on data once it is purged.